WinCIH

Hi,
My computer was effected by WinCIH.I don't mind recovering any data.I don't know much about these topics but it seems to have damaged master boot record,because when I boot with a system disc, I can't get to C drive.
When I type C: what I get is a C: but a MS Ramdrive.
As I said recovering data is not important for me,the only thing is to get to my real hd drive C: and clean the virus and install Win98 again.
Your step by step help on that problem will be appreciated.

First of all, I'm not a virus expert. This is just what I've heard or read :

In the best of cases, WinCIH only messes with the data on your hard disk. In the worst-case scenario, it also corrupts your BIOS, making it impossible to bood your computer again. You might need a new motherboard to solve this one.

I forgot to say that there seems no problem with my bios. I entered bios setup, and made adjustments like changing boot sequence.I've read many articles and previously asked questions.
As much as I've understood,most of them were able to get their C drive and applied one of the solution methods,using different solutions to clean the virus(e.g. cleancih, kill_cih).

You need to be sure that your bootdisk is ok and that you can access your CDROM, when you boot on it.
If this is ok, then you should do this:
Boot on the floppy
run fdisk and delete any partitions on your hd
reboot on floppy
run fdisk and create a primary dos partition and make it active
reboot on floppy
format the partition, you've just created.
start installation af windows from the CDROM.

Partitoning and formatting the hd will remove any trace of the virus.
Hope this helps
Tonny

Well i hate to be the bearer of bad news but here's information from the AVP Encyclopedia.

You could very well have damadged hardware thanks to CIH. If fdisking does not work try flashing the bios and see if that helps out at all.

Win95.CIH
This virus is also known as: Chernobyl, PE_CIH, W32.Spacefiller, WIN95/CIH, CIH, and W32.CIH.

This is a Windows95 specific parasitic PE files (Portable Executable) infector about 1Kbyte of length. This virus was found "in-the-wild" in Taiwan in June 1998 - it was posted by the virus author to a local Internet conference as a some utility. Within a week the virus was found in Austria, Australia, Israel, United Kingdom, and was also reported from several other countries (Switzerland, Sweden, USA, Russia, Chile and the list keeps growing).

The virus installs itself into the Windows memory, hooks file access calls and infects EXE files that are opened. Depending on the system date (see below) the virus runs its trigger routine. The virus has bugs and in some cases halts the computer when an infected application is run.

The virus' trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with "garbage". This is possible only if motherboard and chipset allow to write to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Unfortunately, there are modern motherboards that cannot be protected by a DIP switch - also, some of them do not pay attention for switch position and this protection has no effect at all. Some other motherboard designs provide write protection that can be disabled/overriden by software.

During tests in our lab the virus did not overwrite the Flash BIOS and just halted the computer. We do however have reports from other sources telling that the virus really is able to mess it up.

The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls to achieve this and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors.

If you submitted this question on the pc you think is infested w. CIH, then you are OK. If the pc in question is at home, the best thing that you can do is ignore it today. ALL DAY.

If the former, for the simple fact that you were able to submit this question, it is doubtful that you still have CIH infecting your pc, because today, 4-26 is the detonation date for most versions of the Chernobyl WinCIH virus, the anniversary of the wee disaster over there. Especially any of the virus that originated from Taiwan.

So, if you are using the same pc that you think may be infected, you are probably not, if you were, as soon as you turned on your pc this am, it would have died, as CIH infects when any *.exe is used, or any data is written to sys bios, ie. turning it on, or opening any app, or even something as simple as your clock running will kill the system

If the former, and your infected pc is your home pc, I hope that you have not turned it on yet, if not, DO NOT, it will die, hardware, and software, CIH _WILL_ kill your hard drive to a point where you need a new one, it happened to two friends last year. It may also ruin your mainboard and mem chips, best bet, leave any pc alone today that may be infected, then tomorrow, go get a good CIH cleaner.

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

nfroio,
I really fear too late to stop Domandro.
For remaining audience, sometimes it is 'good' to go slow, pause & reflect before act. While you are here in EE and not in a 'panic' mode, think on this:

"I can't wait to turn my PC on to see if it has the same virus _____!"

Sorry for being too late to evaluate this question.I was busy till now.Bobinmad and tonnybrandt were to show me the correct way.You both commented at the same time.Will it be fair to share the points for you?And please inform me how to do that.(Will I have to post another question specially for one of you?)
I was lucky as the virus didn't infect Bios.Then I followed the steps as you told me.One of my friends suggested me to use Tiramisu, a software that can recover data even if the mbr is damaged.It is said to be a very effective program.But luckily I didn't have any important data on my hdd.
Again thanks for all...

About points:
You can't lower the points for a question.
To split points, you need to submit a 0 point question inhttp://www1.experts-exchange.com/Customer_Service/Experts_Exchange/
Where you provide a link to this question and ask them to split points between Bobinmad and tonnybrandt, if that's what you want to do.
It's your choice.

-If your PC is able to boot at all, your BIOS has definitely NOT been modified

-If you want to recover your data, do not make any changes with fdisk or format. If your drive was FAT32 and you haven't made any modifications to the disk since the virus struck, the FIX-CIH utility from http://www.grc.com should be able to recover all the data.

-The CIH cleaners like CLEANCIH and KILL_CIH won't do any good until after the partition(s) have been restored

Domandro: you can now accept one of bobinmad or tonnybrandt's comments as an answer to award the first half of the points. For the second Expert, create a new question in this topic area. The title should be 'For ExpertName -- 10334113' and it should be for 75 points.

Remember, the Accept Comment as Answer button is in the header of the comment.

>>I'll bet Dell just repartitioned them and reformatted them and sold them to someone else.

Unless they have a "super-duper" low-level format utility, I doubt it, I tried for many hours to get both disks back up, repartioning, formatting, and low-level formatting, and nothing worked. I think that they are currently ballast on a Hong Kong Junk.

But, as happens from time to time, me could be wrong, either way, I am just glad that Dell stands, in my eyes, 100% behind their products, and not some 'fine print'.

Nfroio:
Hard drives erased by CIH are still not physically damaged, for instance see all the people that successfully recovered their drives at http://grc.com/cih-letters.htm

My guess would be that you set the drive parameters wrong in the CMOS or you forgot to set one of the partitions active, but I suppose that it's also possible the hard drive could have coincidentally died at around the same time.

Let us remember, there are also different types of drives, perhaps such a damage capability is limited to a certain kind of a drive or bios etc.

I tinkered with viruses one night, reading their hex. I must've been brain dead, for I rebooted with the floppy ready to load. As I heard the spin up, I 'knew'. In a flash I got the diskette to pop out. Too late. This was one with a trigger date, and the clock had just moved past midnight, for that trigger.

Imagine how I felt!

The thing is, the virus had been around a while. BIOS changed. Drive geometry changed. I 'lucked out' and found it was too primitive to wipe the sectors it had planned to.

I am not saying play with virus or don't. I am saying that disk access methods change over time, and so concerning issues like this thread, I am curious about any differences that have been distinguished between some of the disk types, of bios, or other disk access method.

The subsequent Love_Bug hit my inbox. I thought it would not run. So I tried it as a 'proof'. I was right this time, my system is/was too primitive for it to work. That is my curiousity, on the distinctions that there may be for the behavior.

If a family is fortunate where husband has pc with scsi drive, and mother has pc with IDE, can they be made aware that one unit is more or less vulnerable to a virus_of_the_week? Any way they can get information to make more informed decisions as to which one gets to connect to internet next?

0

Featured Post

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…